The Song Remains The Same: We Can’t Confirm If The Data Was Encrypted Properly

And so, in the past, a data breach would go unreported for months, but those day are past. For Marriot, they found a suspicious encrypted…

The Song Remains The Same: We Can’t Confirm If The Data Was Encrypted Properly

I open with a statement … “Businesses need to understand that encryption is not a switch that you just enable, and it all works.”

And so, in the past, a data breach would go unreported for months, but those days are past. For Marriott, they found a suspicious encrypted file in September, and they were then were able to decrypt it on 19 November. In it they found sensitive personal information related to their hotel bookings.

In the past, this type of activity might have gone unreported, but these days, with GDPR, companies are required to report and inform their customers within days of an incident being detected. The reporting, though, leaves many questions unanswered, especially on the vagueness about the use of encryption. It is another in a long line of vague reports around the usage of encryption.

If the Marriott data hack [here] shows one thing it is that audit/compliance regimes do not work, and that we have a serious lack of investment in making sure that our data is encrypted. For many companies it has been business as usual after GDPR, and where they continue to run their data infrastructures using non-encrypted data. The current hack relates to the Starwood reservation data, and where the accesses had been going on since 2014. It includes names, phone numbers, email addresses, passport numbers, date of birth and arrival and departure information for 327 million people, and also credit card details for an unknown number. For encryption, it was the same old story:

… we cannot confirm if the hackers were able to decrypt the credit card numbers.

It follows a long line of CEOs holding up their hands and saying that they didn’t actually know if their sensitive data was encrypted or not. This is like the chief executive of BMW saying that they don’t actually know if their cars are fitted with seat belts, as it isn’t their role to check that they have been added.

But, the hackers knew how to encrypt data, as Marriott detected an encrypted file on 8 September 2018, and, on 19 November 2018, they managed to decrypt it, they found the contents of the Starwood guest reservation database. Why can hackers encrypted data, but some large companies seem to unable to do it?

The reporting of the Marriott incident becomes a little farcical in places:

For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

Basically, it says very little here, apart from saying that the credit card details were encrypted, but that the company perhaps stored the keys in a place that they could be recovered. Any good crypto person will tell you that you should store the keys away from the encrypted data.

Within the Yahoo hack, the vagueness of the reporting on the encryption was highlighted in jumbled report that actually says very little:

"We have confirmed, based on a recent investigation, that a copy of certain user account information was stolen from our networks in late 2014 by what we believe is a state-sponsored actor," Lord wrote. "The account information may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt), and, in some cases, encrypted or unencrypted security questions and answers."

It is littered with “may have” … and “in some cases”, and the usage of “encrypted or unencrypted security questions and answers” is the following Venn Diagram:

The damage a data breach?

The large stick of GDPR is hovering over this breach. If this data breach shows anything, it is that companies need to review their encrypt processes, and create a separation between keys and encrypted data, along with strong access controls. In fact, organisations should invest in a tokenization infrastructure, and anonymize every data element.

Marriott’s (MAR) share price dropped 6% on the announcement. If you are interested here is some research we did on the impact of data breaches on stock prices: link.

Conclusions

Aim for a high FIPs level and review your encryption. Look at the risks involved, and make sure you address them. If Marriot had proper encryption in place, they would not have had to report the breach. This is likely to be a costly breach for the company, both in brand damage and in fines. It is only likely to be the start of the finger pointing at the company, especially as the actual details of the breach are reported.

It state again … “Encryption is not a switch”, and it needs to be done properly, with encryption at many levels, and where it also protects identities. The management of the encryption keys becomes a fundamental task for an organisation, and this needs to be risk assessed and carefully managed. Strong access control around the usage of the keys then becomes fundamental in the overall security of the infrastructure.

There are many levels of encryption, and companies must move towards complete anonymisation of their data infrastructure, both for identity and for the actual data content. The sooner we move towards passing anonymised tokens, the better.

Overall the boards of companies need to get more technical and ask the right questions:

A Rallying Cry To All CEOs … You Need To Get More Technical!
I have always found it strange that the board of directors in companies have often very little technical understanding…medium.com